It is possible to detect an established SSH connection from your machine to a remote server. The lsof command can view an SSH connection.
I am using SSH over port 443, so the connection is mixed up with a lot of other stuff that Firefox is connected to. But if I use grep and filter for the SSH connection, I can find it.
jason@jason-desktop:~/Videos$ lsof -i :443 | grep ssh ssh 5272 jason 3u IPv4 99884 0t0 TCP jason-desktop:49426->192.168.1.5:https (ESTABLISHED) |
To get the TCP packets that are sent on beginning an SSH connection, use tcpdump like this.
1 2 3 4 5 6 7 8 9 | jason@jason-desktop:~/Videos$ sudo tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s25, link-type EN10MB (Ethernet), capture size 262144 bytes 09:45:31.749134 IP jason-desktop.49584 > 192.168.1.5.https: Flags [P.], seq 2410466230:2410466271, ack 736001194, win 502, options [nop,nop,TS val 959057300 ecr 952037], length 41 09:45:31.848972 IP 192.168.1.5.https > jason-desktop.49584: Flags [P.], seq 1:43, ack 41, win 227, options [nop,nop,TS val 952137 ecr 959057300], length 42 ^C 2 packets captured 2 packets received by filter 0 packets dropped by kernel |
This is the banner response sent due to the SSH connection being initiated between two machines. This is not looking for a certain port, just certain network packets. This is how to see initiated SSH connections.
Of course, an encrypted network packet viewed in tcpdump looks like this and is not very useful unless it can be decrypted.
1 2 3 4 5 6 7 8 9 10 | 09:44:17.382119 IP 192.168.1.2.59318 > 104.16.59.249.443: Flags [P.], seq 2897944896:2897944989, ack 1995930347, win 9249, length 93 0x0000: 4500 0085 a239 4000 4006 3286 c0a8 0102 E....9@.@.2..... 0x0010: 6810 3bf9 e7b6 01bb acbb 2140 76f7 7aeb h.;.......!@v.z. 0x0020: 5018 2421 662b 0000 1703 0300 5805 3311 P.$!f+......X.3. 0x0030: 7e11 f1c3 e253 8a23 df60 53b3 b302 3dd9 ~....S.#.`S...=. 0x0040: 40ea fbe4 43fd 9569 e79d fce7 2a94 580c @...C..i....*.X. 0x0050: ef79 9593 34a3 3d36 7d4b 7655 789c 22f7 .y..4.=6}KvUx.". 0x0060: d689 cd32 0a39 6920 c4e0 2827 7e97 6cd1 ...2.9i...('~.l. 0x0070: 7b81 230e 508b 7c85 1b54 917c 0f53 bd68 {.#.P.|..T.|.S.h 0x0080: 74c2 0edf 5d t...] |
But the ability to see what connections are currently established, or in the process of being established is a very useful ability. This tip should really help you out when using a Linux machine on a network.